--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: python-aiosmtpd@packages.debian.org, dale@dalerichards.net
Control: affects -1 + src:python-aiosmtpd
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This update resolves two security vulnerabilities present in
the version of python-aiosmtpd in Bullseye (1.2.2-1):
* CVE-2024-27305 - SMTP smuggling due to poor handling of
non-standard line endings (Bug: #1066820)
* CVE-2024-34083 - STARTTLS unencrypted command injection
(Bug: #1072119)
These have both been deemed unworthy of a DSA, but the
Security Team have suggested we update this package for the
next Bullseye point release.
[ Impact ]
Without this update, Debian 11 systems running aiosmtpd would
remain vulnerable to the two CVEs listed above.
[ Tests ]
The upstream package includes a comprehensive suite of tests,
all of which are passing with this new version. Additionally,
I have installed the new package on a Bullseye test box and
performed manual testing, confirming that the package's main
functionality works and that the two vulnerabilties are
correctly resolved.
[ Risks ]
The code changes are minor, and bring aiosmtpd into compliance
with the relevant sections of RFC 3207[1] and RFC 5321[2].
The update can therefore be considered low risk, and will not
cause an issue with any RFC-compliant SMTP client or MTA.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF>
as a line terminator, as mandated by RFC 5321[2]. This patch
has been adapted from the fix committed upstream[3].
* CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any
remaining unencrypted data in the input buffer upon completion
of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch
has been adapted from the fix committed upstream[4].
[ Other info ]
References:
[1] https://datatracker.ietf.org/doc/html/rfc3207#page-7
[2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
[3] https://github.com/aio-
libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
[4] https://github.com/aio-
libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
diff -Nru python-aiosmtpd-1.2.2/debian/changelog python-aiosmtpd-1.2.2/debian/changelog
--- python-aiosmtpd-1.2.2/debian/changelog 2020-12-19 15:05:26.000000000 +0000
+++ python-aiosmtpd-1.2.2/debian/changelog 2024-06-14 14:09:42.000000000 +0100
@@ -1,3 +1,13 @@
+python-aiosmtpd (1.2.2-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * CVE-2024-27305 - SMTP smuggling due to poor handling of
+ non-standard line endings (Closes: #1066820)
+ * CVE-2024-34083 - STARTTLS unencrypted command injection
+ (Closes: #1072119)
+
+ -- Dale Richards <dale@dalerichards.net> Fri, 14 Jun 2024 14:09:42 +0100
+
python-aiosmtpd (1.2.2-1) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch
--- python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch 2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2024-34083 - STARTTLS unencrypted command injection
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -209,6 +209,9 @@
+ self._reader._transport = transport
+ self._writer._transport = transport
+ self.transport = transport
++ # Discard any leftover unencrypted data
++ # See https://tools.ietf.org/html/rfc3207#page-7
++ self._reader._buffer.clear() # type: ignore[attr-defined]
+ # Do SSL certificate checking as rfc3207 part 4.1 says. Why is
+ # _extra a protected attribute?
+ self.session.ssl = self._tls_protocol._extra
diff -Nru python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch
--- python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch 2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,30 @@
+Description: CVE-2024-27305 - SMTP smuggling
+ SMTP smuggling due to poor handling of
+ non-standard line endings
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -31,7 +31,7 @@
+
+ DATA_SIZE_DEFAULT = 33554432
+ EMPTYBYTES = b''
+-NEWLINE = '\n'
++NEWLINE = '\r\n'
+
+
+ class _Missing:
+@@ -876,7 +876,8 @@
+ size_exceeded = False
+ while self.transport is not None: # pragma: nobranch
+ try:
+- line = await self._reader.readline()
++ # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
++ line: bytes = await self._reader.readuntil(b'\r\n')
+ log.debug('DATA readline: %s', line)
+ except asyncio.CancelledError:
+ # The connection got reset during the DATA command.
diff -Nru python-aiosmtpd-1.2.2/debian/patches/series python-aiosmtpd-1.2.2/debian/patches/series
--- python-aiosmtpd-1.2.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/series 2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,2 @@
+0006-cve-2024-27305.patch
+0005-cve-2024-34083.patch
--- End Message ---